CA/WoSign Issues: Difference between revisions

Jump to navigation Jump to search

CA/WoSign Issues (view source)

Revision as of 13:47, 20 September 2016

382 bytes removed ,  20 September 2016
Remove questionable assertion
(Update with some Mozilla conclusions)
(Remove questionable assertion)
Line 367: Line 367:


* This issue does not paint a picture of careful software development practices and quality assurance - having unused code around capable of issuing BR-violating certificates does not seem like responsible practice.
* This issue does not paint a picture of careful software development practices and quality assurance - having unused code around capable of issuing BR-violating certificates does not seem like responsible practice.
* WoSign assert that the fact that the cert was SHA-1 was a "SHA-1 parameter request" - i.e. the SHA-1-ness was caused by the requester. However, as we understand it, the request was the same as a request which produced a SHA-256 certificate from StartCom, except for the change of the API parameter. Therefore, the SHA-1-ness was WoSign's responsibility, not part of the request.


* The question of why StartCom was able to trigger certificate-issuance code which WoSign has stopped developing and maintaining is also still open.
* The question of why StartCom was able to trigger certificate-issuance code which WoSign has stopped developing and maintaining is also still open.
Gerv
Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1148408"

Navigation menu